Program or Policy?
It will make a big difference to the Justice Department.
Each of your firms undoubtedly has many compliance policies in place to deal with a seemingly limitless number of legal obligations and exposures.
A compliance policy on its own no longer cuts it—enforcement authorities expect to see a compliance program tailored to the risks the company faces and effectively implemented and operated.
In a not-so-subtle steady drumbeat over the past year, the Justice Department made it clear a “fire and forget” compliance policy no longer passes muster.
Recently, a company was held responsible for corrupt activities in its China subsidiary. There was no evidence of headquarters’ involvement or knowledge. Rather, it was the lack of activity that created the basis for liability. The Justice Department said the company failed to take any steps to ensure a nifty set of policies had been promulgated at the subsidiary and to ensure they had actually been implemented. In other words, they had a policy but no program.
A compliance policy on its own no longer cuts it.
The recent appointment of the department’s first internal compliance expert, and Assistant Attorney General Leslie Caldwell’s speech lauding that appointment, marks another nail in the “fire and forget” coffin. Caldwell referred to such compliance programs as “paper programs.” Her speech highlighted factors the department will look to in assessing compliance programs offered as a corporate defense to employee malfeasance.
The following questions in italics are Caldwell’s; the commentary is ours:
Tone at the Top: Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
Nothing new here.
Organizational Authority and Visibility: Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to actual resources? Of course we don’t expect that a small company has the same compliance resources as a Fortune 50 company.
The second question is a twist. Call it the Benghazi factor—an email record filled with the complaints of a resource-constrained compliance program is a ticking time bomb, especially when the disgruntled former compliance employee finds his or her whistle. Does this mean compliance gets a blank check? No. But it does mean the resources allocated to compliance should be tied to risk and changes in risk, separate and apart from the company’s overall economics. If the firm’s overall economics require a reduction in resources, so be it, but make that change a smart change through a risk-based methodology.
You also need to make certain your firm is not out of sync with your peers. If your similarly sized competitors devote more funding and resources to their compliance programs than you do to yours, it will reflect badly.
Accessibility: Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
There have been cases in which compliance policies were not translated into the language of the host country where a company operated.
Training, Beyond Check the Box: Does the institution ensure its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which includes direction regarding what to do or who to consult when issues arise?
It used to be a great answer to say everyone does an online training. A one-size-fits-all training for worldwide employees is a good start but nowhere near the end of a program capable of creating alignment between employee attitudes and corporate policy.
Living Policies and Continuous Improvement: Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if an entity based in the United States acquires or merges with another business, especially a foreign one.
If your policies have not been updated in five years, they are out of date. And when policies are updated, those changes both illustrate the company’s commitment to a real program and provide a great vector reinforcing training in the basics of the program.
Consequences: Are there mechanisms to enforce compliance policies? Those include incentivizing good compliance and disciplining violations. Is discipline even-handed? The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message—to other employees, to the market and to the government—about the institution’s commitment to compliance.
A program should be integrated into the company’s existing business systems and procedures. For example, compliance should be integrated into personnel assessment systems, including but not limited to compensation systems. It is difficult to argue with Justice officials who say: “We know what company X values, and so do its employees, because those values are directly reflected in the metrics on which compensation is based.”
Beyond the Walls: Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action, including termination of a business relationship, if a partner demonstrates a lack of respect for laws and policies.
Contract language and certifications are necessary but not sufficient. Audit clauses that actually are used and consequences for noncompliance get you to sufficiency.
So, do you merely have a compliance policy, or do you have a complete program? When the enforcement authorities come calling, only the latter will suffice.
